Optimize Your Data Protection Investment for Bottom Line Results DATA LOSS PREVENTION EXPERTISE Providing DLP Since 2002 Completed 500+ Assessments Deployed 400+ DLP Projects Manage DLP Solutions in 22 Countries Provide Daily Management of 1,000,000+ Users Globally Q U I C K FA C T S Symantec Master Specialization DLP Partner RSA’s Only Authorized Managed DLP Partner 1st Managed DLP Services Provider (2008) Localized Chinese DLP Practice (2011) Global Support in 130 countries Data Mining, Custom Policies, & Scripting WHAT WE WILL COVER TODAY Developing the DLP Program SYMANTEC DLP COMPONENTS DLP Use Cases – How Did They Get There? Endpoint Prevent DLP Program Symantec Data LossDeveloping Prevention the Endpoint Prevent monitors files downloaded to local drives; transferred over email, IM, Web or FTP; copied to USB, CompactFlash®, SD, or other removable media; burned to CD/DVD; copied or pasted; captured via Print Screen; and printed or faxed electronically. With Symantec Data Loss Prevention, you canCommon monitor and Avoiding DLPblock: Pitfalls • • • • • • • • Instant messages sent to a partner containing confidential M&A information Web mail with product plans attached going to a competitor Opencopied Q&A to USB or other removable media devices Customer lists being Email containing PII sent via hosted email security services Source code that is copied to a local drive Mobile devices for email sent containing confidential data Product design documents being burned to CD/DVD Price lists being printed or faxed to a competitor HOW TO GET STARTED WITH DLP Developing the DLP Program Scope Processes Understanding Work Place Monitoring Requirements Designing and Implementing the DLP Program Measuring the DLP Program USE CASE 1: INCIDENTS DETECTED 2 MONTHS INTO DLP PROGRAM Captured group emails going to Gmail with unencrypted data: What of incidents or events are retained? Combination of design standards, CAD files and pro-forma product business plans including unit costs, forecasted revenue and margin data Customer and vendor lists, proprietary development processes and procedures, and pricing data from similar current product lines Performed Who real-time DLP correlation develops reports? analysis: Identified 78 design standards focused on “highly classified” next-gen product development Are DLP system generated reports adequate? Downloaded to personal USB with no legitimate business use within 1 hour after email Who drives report requirements? Requestors, Reviewers, others? Incidents reported to information security team within 2 hours of both incidents generated and correlated Report accuracy tied into QA process? Employee was in manager’s office submitting resignation as InfoSec notified the manager USE CASE 1: OBTAINING BUSINESS BUY-IN incidents or events are with retained? ComplianceWhat & Risk Management tasked implementing DLP in organization of 50,000+employees Needed to develop DLP Program allies: Key technology stakeholders: Desktop, Networking, Messaging and Storage Strong relationship with key Business Units within the DLP Program Scope Who develops reports? Generate awareness of program with key senior leadership (not excessive on front end) Targeted one business unit as early adopters and used their success to expand the DLP Are DLP system generated reports adequate? program into neighboring business units or processes. Earned Business Unit,report Data Owner or Process Advocate’sReviewers, trust and leveraged Who drives requirements? Requestors, others? their internal relationships to navigate corporate structure and help message value proposition. accuracy tied intoisQA process? 18-monthsReport into DLP Program there 100% business unit involvement. USE CASE 2: INCIDENTS DETECTED 14 DAYS INTO DLP PROGRAM What incidents or eventsHIS aresystem, retained? Vendor provides upgrade on enterprise follows all change management procedures and obtains sign-off from customer on upgrade. DLP detects unencrypted patient information being transferred via unsecured FTP site; had been configured for SFTP prior to change. Who develops reports? Information was detected the first time the bi-monthly batch-processing was completed. Comprehensive audit trail of incident data available to the organization for investigation. Are DLP system generated reports adequate? Upgrade caused numerous unforeseen changes in the HIS application that created vulnerabilities and potential for inadvertent data leakage. Who drives report requirements? Requestors, Reviewers, others? Information was sent to Business Associate but was exposed in an non-encrypted state. USE CASE 1: OBTAINING BUSINESS BUY-IN What incidents events are retained? Leveraged relationship betweenorCISO, Internal Audit and Privacy to obtain the necessary funding hard to get dollars being allocated to patient care. Defined DLP Program scope around specific elements of primary concern, specifically infectious diseases. HIV/AIDS patient data had been leaked in the past causing significant impact to the organization. Who develops reports? Shared DLP Program Scope to skeptical physician lead healthcare management team. Senior leadership wasAre in the on thegenerated project butreports once again, not too much information overload on the DLPloop system adequate? front-end. CISO and IA/Privacy developed around previous breach asReviewers, well as negative press as part of Who drives reportcosts requirements? Requestors, others? their DLP justification pitch. Clearly identified the previous costs and impacts to the organization, obtaining buy-in from senior leadership and board members. Report accuracy tied into QA process? USE CASE 3: INCIDENTS DETECTED 72 HOURS INTO DLP PROGRAM What incidents or eventsmanner are retained? Company is approached in confidential in regards to a “hostile” takeover situation and has 48 hours to respond until public notice is provided. Company crafted a set of policies within 2 hours to monitor all communication channels and endpoints within the DLP scope. Policy was enabled to: Quarantine all email communication Block all develops web basedreports? traffic or any downloading of specific keywords or specific documents Who related to the topic - management imposed gag order Within 3 hours of DLP the submission of the bidreports documents to the customer, 5 senior staff members Are system generated adequate? had a attempted to disclose the existence of the transaction. 2 email transmissions to friends/family members (spouses) 2 Who instantdrives message/chat messages to friends/family members report requirements? Requestors, Reviewers, others? 1 Google mail to friend at a investment bank who works for direct competitor of company outlining the key terms of the offer. Employee was a Senior VP with access to term sheet. Report accuracy tied into QA process? USE CASE 3: OBTAINING BUSINESS BUY-IN What incidents or events are retained? CIO driven DLP program that “dragged” the COO, CFO and General Counsel to demo and presentation of the capabilities of DLP. General Counsel set-up meeting with CEO and Board to bring visibility to the “real dangers of a digital commerce environment”. Who develops reports? CEO and executive team allocated discretionary budget to build out a DLP pilot system at corporate headquarters to monitor for pre-disclosed earning information, M&A activity and competitor communications. 100 employees at HQ outreports of 10,000 global employees. Are DLP system generated adequate? Recent trend seems to be more top down approach in regards to the assessment and adoptions of WhoHad drives report requirements? Requestors, Reviewers, and others? DLP programs. no problem with rapid deployment, policy development building the supporting incident response program. Report accuracy tied into QA process? USE CASE: DLP PRE-PROJECT STATE Organization Overview: 40,000 employees globally, Manufacturing DLP Scope: Protection of Intellectual Property (General) DLP Primary Issue: Customer overwhelmed with inaccurate incident data, no meaningful information Application Management: Operated and managed by IT Security with limited input from business. Policy Governance: Failure to use a lifecycle software development process for policy construction Incident Triage: Infrequently reviewed by IT with little to no review by business owners. Event Management: Hard to accomplish due to large # of false positives. No “gold nuggets.” Reporting and Metrics: Zero customized reports. No relevant business analysis provided. Status: System generates 25,000 incidents/day / 750,000 incidents/month MANAGING WORKPLACE PRIVACY Framework 1. 2. 3. 4. 5. 6. 7. 8. Understand your company’s data flows Identify your monitoring purpose Understand general principles underlying personal data processing Determine if other countries law’s apply to your company Understand other countries approach to workplace monitoring Understand other countries requirements to workplace monitoring Understand other countries laws Implement technology that fosters compliance with legal requirements IDENTIFY PURPOSE FOR MONITORING Generally Acceptable Business Reasons Include: • • • • • • • • • • Monitor & maximize employee productivity Protect against unauthorized use, disclosure or transfer of PII Monitor employee compliance with employer workplace policies Investigate complaints of employee misconduct Prevent industrial espionage Prevent or respond to unauthorized access to employer’s computer systems Protect computer networks from becoming overloaded Prevent or detect unauthorized utilization of employer’s computer system for criminal activities & terrorism Help prepare employer’s defense to lawsuits or administrative complaints Respond to discovery requests in litigation related to electronic evidence DETERMINE IF COUNTRY LAWS APPLY TO YOU 1. Does your company operate in that country? 2. Does your company have affiliates or subsidiaries that collect personal data in that country? 3. Does your company have employees residing in that country? 4. Does your company collect or process personal data in that country? 5. Does your company process personal data using equipment in that country? INTERNATIONAL PRIVACY LAWS BUSINESS IMPACT Must comply with privacy laws in countries where have operations, where laws can be significantly more restrictive than in the US Transfer of personal information can be blocked in other countries unless specific requirements are met Countries across the globe are adopting privacy laws UNDERSTAND GENERAL PRINCIPLES: SAFE HARBOR NOTICE - Individuals must be informed that their data is being collected and about how it will be used. CHOICE - Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties. ONWARD TRANSFER - Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles. SECURITY - Reasonable efforts must be made to prevent loss of collected information. DATA INTEGRITY - Data must be relevant and reliable for the purpose it was collected for. ACCESS - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate. ENFORCEMENT - There must be effective means of enforcing these rules. APPLICATION SUPPORT & INTEGRATION Primary System DLP Management = Human Resource / Expertise Requirements Integrated System Management = Cross Department Collaboration Processes Health Check & System Validation Management = System Resource Requirements Vendor Management = Primary and Integrated Technology Vendor Relationships POLICY & RULE GOVERNANCE Who requests rules & policy requirements? Are business owners engaged? Who reviews rule requests? Criteria for approved rule? Who’s responsible for converting a rule into technical policy? What is the formal policy development process? Do they have technical policy authoring expertise? First drafts rarely work as expected! What’s the process for converting a rule request into a policy? Is there a process to relay production policy metrics to stakeholders? WORKFLOW DEVELOPMENT & MANAGEMENT Who develops & manages policy “buckets”? False positive, inbound partner, outbound employee Triage response options: Human notification System notification (auto) Hybrid? Who defines thresholds that determine response rules for each “bucket”? Are 10 SSNs a high, medium or low severity incident? Who’s responsible for building alerts, alarms & notifications? Has business been engaged on event management? Who designs & sets the policy response triggers? Malicious, Inadvertent, Suspicious, above threshold. Who manages the DLP policy & rules repository? Why recreate the wheel? INCIDENT TRIAGE & EVENT MANAGEMENT How does DLP fit in overall incident/event management process? Who reviews volume & yield of incidents & events? How are events/incidents routed? What’s the review frequency? Who owns the incident/event? What metrics are developed to measure success of rules & related policy? Revision of rules based on quality of policy results. How will integrated systems be tied together to yield valued info? Who manages policy optimization process? Secure mail, web gateway, GRC, SIEM Who ‘s responsible for developing metrics? Can this be mapped to DLP system? BUSINESS ANALYTICS Who drives report requirements? Requestors, Reviewers, others? Who develops reports? Do they have the expertise with 3rd party reporting tools? Are DLP system generated reports adequate? Are the metrics valuable & driving meaningful change? Report accuracy tied into QA process? PITFALL 1: NO PLAN OF ATTACK PITFALL 2: FAILURE TO ENGAGE THE BUSINESS 5 Pieces of DLP Advice You Can’t Afford to Ignore 23 PITFALL 3: INADEQUATELY TRAINED RESOURCES 5 Pieces of DLP Advice You Can’t Afford to Ignore 24 DATA-IN-MOTION PITFALLS: M i s s i n g t h e Ta r g e t – F a l s e S e n s e o f S e c u r i t y Mis-configured Tap or Port Span Problem Missing segments of network traffic or protocols Solution Comprehensive test plan that maps to in scope business processes and related data types transmitted from various network locations to ensure all relevant data streams are being captured. Encryption – The Masked Data Problem Analysis of data DID NOT take place prior to encryption. Solution Comprehensive test plan that proves ALL DLP data assessment takes place prior to the gateway encryption & implement managed “test” DLP policies that identify encrypted transmissions as part of the test plan. Misfire of Network Discovery Scans Network versus Endpoint Discovery Problem Locations of sensitive data never targeted by the organization for scanning due to lack of an effective policy governance process. Problem Running DAR scans using a combo of network & endpoint without thinking about which policy types & detection methods are not the same. Solution Identify potential data stores by discussing the DLP program with staff to understand process. Solution Prior to acquiring DLP solution, have an understanding of the data types that make up your target environment & then, decide on scanning method. . DATA-IN-MOTION (ENDPOINT) PITFALLS: T h e P a n d o r a ’s B o x o f D L P Environment Assessment Staying in Contact • Problem No rigorous endpoint environment assessment prior to the selection of the application & enablement. • Problem Failure to monitor endpoint population & their frequency of “checking-in” to the management server with validated results. • Solution Address age of environment, performance capabilities, technical & human issues, & load of applications, in conjunction with education on the DLP endpoints. • Solution Phased deployment of endpoint with validation via test plan on initial success of ALL agents & ongoing endpoint agent health reports. User Performance Impacts Network/System Performance Impacts • Problem Implementing same policies for network based & endpoint assessments without testing or modification. • Problem Failure to calculate & measure the impact of endpoint policy traffic across wide & local area network connections. • Solution Utilize a comprehensive test plan outlining specific metrics (time to open files, open/send emails, open applications) prior to deployment. • Solution Thorough assessment of endpoint policies that addresses all of the concerns including policy design requirements, timing, frequency & delivery methods. USE CASE –POST PROJECT STATE Organization Overview: Defined specific business units to initiate program DLP Scope: Focused on 3 specific product lines linked to highest revenue & earnings DLP Primary Goal: Identification of unauthorized movement of specific elements of IP Application Management: Operated by a combination of IT, messaging & desktop management teams Policy Governance: 100% customized policies based on data collected from business unit Incident Triage: Daily review of incidents by Information Security Event Management: Incidents meeting severity criteria routed to business unit for investigation Reporting and Metrics: Behavioral pattern analysis leading to preventive actions Status: R&D teams have high-level of confidence in ability to identify leakage of IP. QMS SAMPLE QUARTERLY REPORT Number of Hours Intelisecure DLP QMS: Six Month Trend Application Management Policy Governance Incident Triage Event Management Reporting & Analytics Time BEW GLOBAL HQ BEW GLOBAL EMEA BEW GLOBAL APAC 5613 DTC Parkway Suite 1250 Greenwood Village, CO 80111 USA 3 Albany Court Albany Park Camberley GU16 7QR England 520 Oxford Street Level 23, Tower 1 Bondi Junction Sydney 2022 (ph) +1 720 227 0990 (fax) +1 720 227 0984 (ph) +44 (0) 845 481 0882 (fax) +44 (0) 871 714 2170 (ph) +61 (2) 9513 8800 (fax) +61 (2) 9513 8888 www.bewglobal.com www.bewglobal.com www.bewglobal.com